The one with a password manager: mobile apps

In previous posts of this series I talked about pass and Browserpass, the desktop utility and the browser extension I use to manage my passwords in Ubuntu Mate 22.04. I recommend you to first read those posts in case you are unfamiliar with the concept of password manager or password store.

Today I'd like to talk about Password Store, an Android client for pass that aims to implement most of its capabilities; and OpenKeychain, an OpenPGP implementation for Android.

In case you're an iOS user, definitely this is not the post you're looking for, but the good news is that passfarios gets you covered as well.

Now let me introduce you to both apps.

Password Store

Official binary releases are available through 4 different channels, each serving their own purpose.

Play Store and GitHub Releases always contain the latest stable release. At the moment of writing the latest version is 1.13.5, released on July 28, 2021.

F-Droid is a FOSS-only store (Free and Open-Source Software) that takes the open source code and generates their own builds from it. F-Droid usually lags behind primary release channels, and a subset of functionality might be missing due to the requirement that binaries only contain FOSS code.

GitHub Releases contains both the free and nonFree variants, of which the nonFree variant then gets uploaded to the Play Store and the free variant to F-Droid. More details in the page about build types.

Snapshot builds are generated on each push to the development branch and may contain unfinished and broken features, or more often, early access to bugfixes. These also ship with additional debugging code that simplify reporting of issues.

The project is in the process of rewriting the documentation from scratch. The work-in-progress state is available here and the old documentation is available in the wiki.

GitHub Discussions can be used in case you don't understand something, or want to discuss a feature request in more detail with all community members before pitching it to maintainers.

Some highlights:

• Autofill on Android 8 and above.

• Access to the password store protected with fingerprint.

• Passwords copied to the clipboard for 45 seconds (by default, time is configurable).

• In-app SSH key generation to clone, pull changes from and push changes to the password store repository.

• Full management of secure passwords within the app.

OpenKeychain

It's a free software based on the well established OpenPGP standard making encryption compatible across devices and systems.

The app is available through 2 different channels: Play Store and F-Droid. At the moment of writing the latest version is 5.8.2, released on January 7, 2023.

However, the project is in maintenance mode since August 2021:

WARNING: This software is no longer actively developed. We will still apply security fixes where reported, and do basic maintenance work, but no new features or will be worked on. We will try to consider and merge contributions where possible.

Most documentation is available in the wiki and other useful information is available in the FAQ page on their website. Among other interesting stuff, you could find information about security or how to import a backup with GPG.

The help page can be used in case you want to get in touch with the their community.

Configuration

I'll show you here only the configuration required to make both apps work together.

The first time you start Password store, you will see following screen:

Press "Let's go" button to start configuring the app:

In my case, I've a remote repository on GitHub, so I choose "Clone remote repo".

Fill out the repository information with the remote URL, the branch and the authentication mode you prefer:

If you try to save now without having an SSH key created, you'll see following error:

You can either import an existing SSH key or generate one for this purpose. I chose the latter option:

In the project wiki there is more info about generating SSH keys.

Choose the desired type and press "Generate". The public key will be then displayed:

If you try to save now without storing the SSH key on GitHub (or you Git server of choice), you'll be asked for the repository credentials:

Obviously, that's not what we want, so the key must be stored on GitHub.

Go to https://github.com/<username>/<repository>/settings/keys:

Go to https://github.com/<username>/<repository>/settings/keys/new ("Add deploy key" button) to add the SSH key:

I only use the app to read those secure passwords, so I don't check "Allow write access". Being so, bear in mind that in the app you will only be able to pull changes from the repo.

Go back to the app and press "Clone" button:

The result after the repository is successfully cloned:

Assuming you don't have OpenKeychain already installed, if you try to get any given password will result in following error:

Once the app is installed, if you try again you'll see following dialog:

Without any GPG key in OpenKeychain yet, following error will appear:

Error from OpenKeychain: No encrypted data with known secret key found in stream!

Check details provided by Password Store about exporting a GPG key.

Next switch to OpenKeychain app:

Select "Import key from file" option:

You can import the GPG key from the clipboard or from a file present in the device.

Right before importing the key, you'll see details about that key:

Once the key is imported you'll see it listed in the app:

Go back to Password Store and you'll see the following dialog if you try to get any given password:

Allow access and you'll be asked about GPG key password:

The GPG key password will be remembered until cleared by default, but there are other options available as well:

At this point your password will be available in the clipboard for 45 seconds (default) and a notification will appear in your device:

It's worth noting that if you left the default option when you entered the GPG key password, until you specifically clear the password you'll be able to access to any saved password without be asked again for it. Sometimes that's what you want, but sometimes it's not.

Let's improve the UX enabling the autofill feature.

At the top right of the main screen, select the three dots:

Go to settings:

Enable autofill feature:

Configure autofill service in Android:

Select Password Store from the list and confirm that you trust the app:

New options appear in the settings menu once autofill is enabled:

Example with any Android app, in this case Goodreads:

Search in store for "Goodreads":

Credentials are automatically filled once selected:

Next time, the password previously used is displayed at the top:

Example with any website, in this case GitHub:

And that's it. Both apps are correctly configured and working as one could expect.

Other options

If you recall, the SSH key didn't have write permissions, so you won't be able to push changes to the remote repo:

You can edit Git server settings:

For more security accessing the password store, enable biometric authentication:

In case you want to generate passwords from the app, you could select the generator type:

You could organize passwords as desired:

Main menu in OpenKeychain:

Encrypt and decrypt files and text:

Supported apps:

Backup and restore:

Other settings:

Some information about any of your GPG keys is available:

You could change the GPG key password or create a backup, for instance:

New GPG keys can be added in different ways:

Manage or update GPG keys:

Advanced settings for a GPG key:

Conclusion

I highly value the functionality provided by these apps, although I wish I didn't have to install 2 different apps for that. For a long time the maintainers of both projects have considered the possibility of making OpenKeychain a library rather than a separate app, but no progress have been made, let alone now that the project is in maintenance mode.

A new version of Password Store app has not been released in over 2 years, but taking a look at the activity in issues and pull requests merged the project seems to be active yet.

Either way, it's quite easy to configure both apps and making them work together. Not to mention that I haven't found any critical error so far, at least with the basic use I make of them.

Thank you for reading and see you in the next one!